Adam Pippin
4 years ago
2 changed files with 133 additions and 0 deletions
@ -0,0 +1 @@ |
|||
Proprietary |
@ -0,0 +1,132 @@ |
|||
# Cross Account Snapshots |
|||
|
|||
Two lambdas: |
|||
|
|||
* One to share all snapshots of a volume with a target account. |
|||
* One to copy all snapshots shared with an account into the local account. |
|||
|
|||
## Source Account Setup |
|||
|
|||
The volume you want to manage must be encrypted with a customer managed key, |
|||
not the default KMS key. |
|||
|
|||
### Lambda |
|||
|
|||
Create a lambda containing `share_snapshots.py`. |
|||
|
|||
Adjust: |
|||
|
|||
* `VOLUME_ID` to the volume id you want to share the snapshots of |
|||
* `TARGET_ACCOUNT` to the AWS account ID of the target account you want to |
|||
share with |
|||
|
|||
### IAM |
|||
|
|||
Attach the following IAM policy to the role you set up for your lambda, |
|||
replacing the `ca-central-1` region with the region you want to manage. |
|||
|
|||
{ |
|||
"Version": "2012-10-17", |
|||
"Statement": [ |
|||
{ |
|||
"Sid": "AllowModifySnapshotAttribute", |
|||
"Effect": "Allow", |
|||
"Action": "ec2:ModifySnapshotAttribute", |
|||
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*" |
|||
}, |
|||
{ |
|||
"Sid": "AllowManageSnapshots", |
|||
"Effect": "Allow", |
|||
"Action": [ |
|||
"ec2:DescribeSnapshotAttribute", |
|||
"ec2:DescribeVolumes", |
|||
"ec2:DescribeSnapshots" |
|||
], |
|||
"Resource": "*" |
|||
} |
|||
] |
|||
} |
|||
|
|||
### KMS |
|||
|
|||
In the AWS console, navigate to your KMS key and scroll down to the "Other AWS Accounts" |
|||
section. Add your target account by id. |
|||
|
|||
## Target Account Setup |
|||
|
|||
### Lambda |
|||
|
|||
Create a lambda containing `clone_snapshots_locally.py`. |
|||
|
|||
Adjust: |
|||
|
|||
* `SOURCE_ACCOUNT` the source account's id |
|||
* `TARGET_ACCOUNT` your target account's id |
|||
* `KMS_KEYS` a dictionary mapping a source account KMS key arn to a KMS key arn in |
|||
your target account, specifying which key to reencrypt the snapshot with when |
|||
copying |
|||
* `RETENTION` a dictionary mapping strings in the description field to a number of |
|||
seconds to retain a snapshot after it has been detected that it was deleted |
|||
* `REGION` the region the source account's snapshots are located in |
|||
|
|||
### IAM |
|||
|
|||
Attach the following IAM policy to allow managing snapshots, replacing `ca-central-1` |
|||
with the region you want to manage. |
|||
|
|||
{ |
|||
"Version": "2012-10-17", |
|||
"Statement": [ |
|||
{ |
|||
"Sid": "AllowCopyAndDelete", |
|||
"Effect": "Allow", |
|||
"Action": [ |
|||
"ec2:CopySnapshot", |
|||
"ec2:DeleteSnapshot" |
|||
], |
|||
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*" |
|||
}, |
|||
{ |
|||
"Sid": "AllowReadAndTag", |
|||
"Effect": "Allow", |
|||
"Action": [ |
|||
"ec2:CreateTags", |
|||
"ec2:DescribeSnapshots" |
|||
], |
|||
"Resource": "*" |
|||
} |
|||
] |
|||
} |
|||
|
|||
Add the following IAM policy to allow use of the shared KMS key from the source account, |
|||
replacing the resource arn with the arn of your source account's key: |
|||
|
|||
{ |
|||
"Version": "2012-10-17", |
|||
"Statement": [ |
|||
{ |
|||
"Sid": "AllowUseOfKey", |
|||
"Effect": "Allow", |
|||
"Action": [ |
|||
"kms:Encrypt", |
|||
"kms:Decrypt", |
|||
"kms:ReEncrypt*", |
|||
"kms:GenerateDataKey*", |
|||
"kms:DescribeKey", |
|||
"kms:CreateGrant" |
|||
], |
|||
"Resource": [ |
|||
"arn:aws:kms:ca-central-1:987698769876:key/abcd-abcd-abcd" |
|||
] |
|||
} |
|||
] |
|||
} |
|||
|
|||
## Test |
|||
|
|||
1. Run the lambda in your source account, it should output that it has shared several snapshots. |
|||
2. Run the lambda in your target account, it should output that it has copied several snapshots. |
|||
|
|||
## Run Automatically |
|||
|
|||
Set up CloudWatch Events triggers to run your lambdas on a schedule. |
Loading…
Reference in new issue